Windows 8's most obvious—and most divisive—new feature is its user interface. However, it would be a mistake to think that the user interface is the only thing that's new in Windows 8: there's a lot that's changed behind the scenes, too.

Just as is the case with the user interface, many of the improvements made to the Windows 8 core are motivated by Microsoft's desire to transform Windows into an effective tablet operating system. Even those of us with no interest at all in tablets can stand to take advantage of these changes, however. For example, Windows 8 is more power efficient and uses less memory than Windows 7; while such work is critical to getting the software to run well on low-memory tablets with all-day battery life, it's equally advantageous for laptop users.

The biggest single piece of technology that is new to Windows 8 is, however, squarely Metro focused: it's a large set of libraries and components called WinRT. I've already written extensively about what WinRT is, so I won't be getting into that here, but there are system capabilities that WinRT apps can use (or are forced to use) that are interesting in their own right.

Playing in the sandbox

First up is sandboxing. Metro-style apps are all sandboxed: by default, each app can only read from and write to its own private storage area. If the app needs to do anything more than this—access the Pictures library, say, or connect to the network as either a client or a server—it must explicitly indicate that it needs these extra capabilities in something called a manifest. This prevents apps from being able to read each other's files, documents that you haven't explicitly granted them permission to read, and so on. This serves two purposes; it helps safeguard user privacy, instilling greater confidence in apps downloaded from the store, and it also reduces the impact of security flaws in those apps.

These sandboxes are enforced by a new Windows 8 feature called AppContainers, which in turn builds on a feature introduced in Windows Vista, called integrity levels. Before integrity levels, access to files and registry keys on Windows was governed solely by the user identity. Every file and registry key has an access control list (ACL) which describes which users and groups can perform what operations to those files and registry keys. For example, an ACL on a file might say that User A can read the file, User B can read and write the file, and Group C can read, write, and delete the file. Every process running with User B's identity would have the same access to that file: read and write.

Integrity levels created a system to give processes all running with the same user identity different levels of access to the system. Each process has not just the user identity, but also an integrity level, denoting the trust given to the process. Web browsers, for example, would be given low integrity, because they're not especially trusted (because they are so often attacked and exploited by malicious Web pages). A normal process such as Notepad might be given medium integrity, because it's relatively unlikely to be attacked. An installer or setup program might be given high integrity, because it's trusted to update pieces of system configuration. There is also an untrusted integrity, that's even lower than low, and a system integrity, that's even higher than high.

Every file and registry key on the system is tagged with an integrity level, which specifies the minimum level required to write the file. Reads are (almost) always allowed. Temporary directories, for example, might be tagged with low integrity, allowing even Web browsers to use them. System directories will be tagged with high integrity, preventing modification by low and medium integrity processes.

This integrity level system was instrumental in User Account Control (UAC), the confirmation prompts also introduced with Windows Vista. With UAC enabled, even an Administrator account normally runs processes with only medium integrity, and hence preventing modification of system files. Clicking on a UAC prompt creates a process with high integrity. This is why you need to perform UAC elevation before you can modify system files.

AppContainers introduce an additional integrity level, called simply AppContainer. AppContainer is even more restricted than low integrity. AppContainer blocks both reads as well as writes. Unlike low integrity, it isn't a simple tag. When each Metro app is installed, the system examines the capabilities that the app says it needs in its manifest—network access, library access, and so on—and constructs a unique AppContainer security identifier based on those capabilities. When the app is run, it not only has the AppContainer integrity level applied; it also has this security identifier applied.

Windows then uses this information to perform extra validation whenever the process tries to perform a restricted operation, such as opening a file or making a network connection. It uses the information in the security identifier to determine whether to allow the operation. For example, only if the security identifier indicates that the process has "access the Photos library" capability will the system allow the app to open files from the Photos library.

This system allows Windows to exercise tight control over Metro applications. It removes access to almost the entire system, letting them see only a tiny selection of files.

Although the sandboxing AppContainer mechanism is primarily used by Metro apps, it's not actually restricted to them. There's an API and documentation for it, and regular applications, even on the desktop, can use it. The first application to actually do so is Internet Explorer 10. Internet Explorer has two guises in Windows 8; a desktop guise, and a Metro guise. The Metro guise puts all of its tabs in AppContainers, so if a malicious attack is made, it will be quite a bit harder for the attacker to break out and damage the system.

Desktop Internet Explorer doesn't put its tabs in AppContainers by default, because most plugins and extensions can't cope with such a limited environment—they need to at least be able to read the hard disk, so need at least low integrity. However, you can opt in to a new mode called Enhanced Protected Mode that will put each tab of the desktop browser into a sandbox. If you come across a page that needs an extension, Internet Explorer will offer to reload the page without the sandbox.

Mozilla has investigated the AppContainer mechanism for its own Metro browser so Internet Explorer is unlikely to be the sole browser to offer this security. Other software such as Adobe Reader also uses sandboxing, and over time could take advantage of this Windows 8 feature.

Power preservation

Preserving battery life is one of the key goals for Metro applications. Unlike desktop applications, Metro applications aren't in general allowed to run in the background; unless you're actively looking at a Metro application, Windows suspends it after a few seconds. If memory becomes low, Windows will quietly terminate the app. Switching back to the app, whether it was suspended or terminated, resumes it.

To ensure that apps don't lose their state when terminated, they're given an opportunity to save any necessarily information just before they get suspended. They can then reload this information when resumed, allowing the user to continue using the app without any interruption.

Apps that need to do work in the background without that work being interrupted by suspension and resumption can register background tasks. These background tasks are subject to tight CPU and network usage constraints to ensure they don't interfere with the machine's performance.

In and of itself, that's not too special. It's just suspending and resuming some processes. However, Windows 8 takes this to another level with a feature called Connected Standby.

Connected Standby allows Windows to take process suspension to the next level, pausing not just apps but the entire machine, while still allowing these background tasks to run.

With Connected Standby, the operating system can put itself in an extremely low-power suspended state, but without losing network connectivity. Whenever some network activity occurs, it will wake up just enough to handle that activity, before going back to sleep. With Connected Standby, a system can receive all the power savings and long lifetime of standby mode, but still fetch new e-mail as it arrives, respond to VoIP calls, or whatever else it might take to keep up-to-date.

Connected Standby isn't a pure software feature. It requires network adaptors to support a special suspend mode, whereby they remain connected to the network, but do not need the CPU to poll them periodically (this is particularly an issue for USB network adaptors). It also requires a processor that can operate without a fan, a solid state disk, and the system firmware to advertise support of a very-low-power idle mode.

These capabilities, especially the ability to operate without a fan, are rare, and presently restricted to certain system-on-chip (SoC) machines, such as Microsoft's Surface. The passive cooling requirement makes it unlikely that we'd ever see, for example, Connected Standby support on an Ivy Bridge machine, but none of the requirements actually require the use of SoCs.

When a system supports Connected Standby, those Metro background tasks can fire up if necessary even when the system is suspended. Programs such as Skype listen out for network activity in a background task. The system goes to sleep, but if the Skype connection should start receiving data due to an incoming call or instant message, the network adaptor wakes the CPU and lets the Skype task start handling the data. Skype might then update its indicator on the lock screen to show that you've got a new IM or missed a call, or it could sound the speaker to alert you to the call.

Connected Standby allows machines to sleep for days at a time while still remaining up-to-date. The only wrinkle is that at the moment, only Metro apps can register background tasks to run during Connected Standby. Desktop applications get completely suspended. So while the Metro Mail app might be able to keep itself up-to-date even with the machine almost "turned off," Outlook cannot.

139 Reader Comments

So arse finally has a windows only set of articles and people still feel the need to be the first to bash apple.

Back on topic. I like what I'm seeing with microsoft these days. It really looks like they are looking beyond today and might have some neat things coming down the road. I don't think much of windows 8 or any of the products they are debuting but I think it is a good start that can hopefully lead to good places.

Great read! Thanks for confirming and substantiating what some of us have been trying to say in the forums: windows 8 has many under the hood improvements! It is a worthy upgrade.

People complaining are mainly desktop users and for us these changes are somewhere between zero and insignificant. Sure, a bit more security is nice but most danger is social stuff anyway so that is nothing OS can do about. Memory use reduction is nice but with the amounts today's desktops have it's again insignificant. Same for tiny changes in power use. Useful for mobile computing but for desktops not so much.

Many of those ASLR features being introduced in Windows 8 sound like they should have been part of the the NT 6.0 kernel from the beginning. I understand why ASLR would have been relatively weak in the 32 bit version but why limit the 64 bit version at that time?

Memory deduplication sounds neat but something I see mainly having an impact in the server space, in particular terminal servers.

SMEP sounds like something that should have arrived with the NX bit in terms of hardware. This article only mentions IvyBridge support on the Intel side but does AMD offer an alternative and on what hardware? How about this feature on the ARM side of things? Does ARM's privilege level system already incorporate SMEP or make it a non-issue?

So, what are the real world power savings like over Windows 7 - enough to be worth upgrading for, or just an extra 30 seconds battery life?

I had pretty much decided to ignore Windows 8, but now I'm going to have to watch it until I find out the answer to that question. Thanks, Peter.

How much improvement you'll see depends quite a bit on your own usage pattern and also hardware. But, on a thinkpad X200T, which is an old laptop, I am getting about 25 minutes more battery life compared to windows 7. This is average value over 10 tests.

I, too, am curious about battery life improvements. Windows 8 has been a mixed bag for me so far, and I'm still on the "no upgrade" side of the fence. I'm watching these featurettes to see if I can be swayed to part with $15, a few hours of time, and doing some family retraining on the home PC.

fb39ca4 wrote:

jayrulez wrote:

Hello Peter,

Just finished reading the sandbox section.

"AppContainer blocks both reads as well as rights.", I suppose you meant "AppContainer blocks both reads as well as writes."?

So you mentioned that the Linux kernel had the "tickless" feature for several years already. I would have appreciated getting this sort of context on the other features. Certainly, it's absolutely fantastic that they've taken these steps to make their kernel better, but I would have liked to know if these are bleeding edge features that no one else has implemented yet (and therefore a reason to consider Windows over others), or whether this is just patching up glaring oversights that have been long resolved by Linux/OSX/BSD.

It's like how the latest versions of IE have grown leaps and bounds when compared against each other (really, hats off to the IE guys for that), but even IE10, which has barely left the door (and hasn't yet for Windows 7), is barely competitive in standards-compliance with even much older version of Firefox and Chrome, let alone their current versions.

Great read! Thanks for confirming and substantiating what some of us have been trying to say in the forums: windows 8 has many under the hood improvements! It is a worthy upgrade.

People complaining are mainly desktop users and for us these changes are somewhere between zero and insignificant. Sure, a bit more security is nice but most danger is social stuff anyway so that is nothing OS can do about. Memory use reduction is nice but with the amounts today's desktops have it's again insignificant. Same for tiny changes in power use. Useful for mobile computing but for desktops not so much.

What, exactly, would you like to see fixed? People have complained about memory use for as long as I've cared enough about computers to notice, and they've (finally) done something to address it.

The UI seems to be a dis-improvement, but maybe they'll wise up and fix it; right now they're counting on the fact that any noticeable change results in an outpour of negative response, and mostly after a few months completely disappears.

I went ahead and bought 8 because the online upgrade is $40 for a short period. If I don't like it, I wasted $40; if I don't mind it, I've saved $60 or so on an upgrade. Bit of a gamble, but you have to make those occasionally.

Edit: Oh, yea, and does the ASLR graphic look like crap to all people with the dark scheme, or is it something about the way Chrome renders?

Connected standby = PowerNap in OSX. MSFT should be able to do this on X86, since Apple can do it on X86. This is a great feature and its great that MSFT support it. This is a great reason to upgrade to Win8.

thanks for the detailed win8 articles, and the breaking down into several specific articles. Windows is long overdue for "modern" touches, which are understandably hard to implement without sacrificing some backwards compatibility. One thing I haven't learned yet, is what's the install size...this would also be influenced by the tablet crowd, but it also affects me because I use windows on a SSD based system. I'd love to be able to squeeze more crap onto my C drive! Drives mapped to letters...now THERE'S some legacy cruft for ya!

These capabilities, especially the ability to operate without a fan, are rare, and presently restricted to certain system-on-chip (SoC) machines, such as Microsoft's Surface. The passive cooling requirement makes it unlikely that we'd ever see, for example, Connected Standby support on an Ivy Bridge machine, but none of the requirements actually require the use of SoCs.

Why not? I'd be surprised if one of these standard 45W or 65W max tdp parts couldn't run with just the stock heatsink (no fan) in its lowest power state. I've used passive CPU heatsinks on 130W parts before, granted they're not as small as the stock ones, but with current power states and shrinks on the latest CPUs it seems entirely doable to run a cpu at its lowest clock without the fan. Although I suppose it becomes a game of not knowing what the user has, but at the very least it seems that OEMs would be able to take advantage of it.

As the article says, there are some good changes in Windows 8. However, none of these features are particulary new, only new to Windows.

AppContainers sound very much like either SELinux or AppArmor on Linux, and quite similar to the permissions model of Android, iPhone and Windows Mobile 7 apps. SELinux has been providing Mandatory Access Control (MAC) in a very similar manner since 2003, although its complex policies could stand to have a system-independent manifest file that could be automatically converted into policies.

Memory deduplication has been in the Linux kernel since 2.6.32 as Kernel SamePage Messaging, and was primarily written for virtual hosts using KVM. However, it works equally well for other pages that remain largely static, depending on how aggressively the reclaimer thread is tuned.

Given the memory density of virtual guests when using memory de-duplictation, HyperV is clearly the intended recipient of this feature, but it is nice to see it end up in the rest of the operating system.

These capabilities, especially the ability to operate without a fan, are rare, and presently restricted to certain system-on-chip (SoC) machines, such as Microsoft's Surface. The passive cooling requirement makes it unlikely that we'd ever see, for example, Connected Standby support on an Ivy Bridge machine, but none of the requirements actually require the use of SoCs.

Why not? I'd be surprised if one of these standard 45W or 65W max tdp parts couldn't run with just the stock heatsink (no fan) in its lowest power state. I've used passive CPU heatsinks on 130W parts before, granted they're not as small as the stock ones, but with current power states and shrinks on the latest CPUs it seems entirely doable to run a cpu at its lowest clock without the fan. Although I suppose it becomes a game of not knowing what the user has, but at the very least it seems that OEMs would be able to take advantage of it.

It's more than it has to be able to be passively cooled; it has to tolerate being passively cooled when inside a laptop bag or a similarly constrained environment.

There's a good chance that at least some Haswell systems will support Connected Standby.

Great write-up. A lot of the features on the first page, such as the manifest usage remind me of Android's permissions mechanism, as well. Is there any indication that any of these improvements affect standard desktop apps, or are they restricted to top apps running in the new UI?

Edit: Oh, yea, and does the ASLR graphic look like crap to all people with the dark scheme, or is it something about the way Chrome renders?

neither. I use chrome and the dark scheme, I also looked at it in the regular version, and in FF after reading your post. I have no issues with the graphic. maybe they fixed it after you posted and before I read the article but from my side it looks just as good in all the browsers and schemes that I tested.

I think a lot of the UI issues people have are ones of learning curve pains. When I started using win8 previews I was actually upset with the lack of the start button/shutoff (for example) but have since learned the new UI so that it is actually quicker for me to turn off my machine than before, or sleep it. That isn't to say that the UI learning curve pain isn't a real issue, it is. A big one. BUT, my feeling of win8 is that I like it, tho.. I still like my win7 also. Coming back to the focus of this thread, I very much LIKE seeing the new features under the hood for win8 and it does explain why my old win2k AMD single core, Barton (using a mobile cpu on desktop mboard) actually feels and in fact works better than it ever did on win2k. I never liked XP on that machine, it felt sluggish, never tried vista, but did do a little stint of win7 on it. (it was passable, but not as snappy as the win2k installation). Win8 tho actually works faster, snappier, than even win2k. I suspect the memory management optimizations are the reason for that, more so than anything else. (I am even using "legacy" agp drivers for it and they work like a charm, for now... god I hope i didn't jinx it).

Great write-up. A lot of the features on the first page, such as the manifest usage remind me of Android's permissions mechanism, as well. Is there any indication that any of these improvements affect standard desktop apps, or are they restricted to top apps running in the new UI?

The AppContainer mechanism is available to any application, in principle, though the set of capabilities that are enforced is defined by the operating system and geared towards the kind of capabilities that Metro apps need.

So you mentioned that the Linux kernel had the "tickless" feature for several years already. I would have appreciated getting this sort of context on the other features. Certainly, it's absolutely fantastic that they've taken these steps to make their kernel better, but I would have liked to know if these are bleeding edge features that no one else has implemented yet (and therefore a reason to consider Windows over others), or whether this is just patching up glaring oversights that have been long resolved by Linux/OSX/BSD.

It's like how the latest versions of IE have grown leaps and bounds when compared against each other (really, hats off to the IE guys for that), but even IE10, which has barely left the door (and hasn't yet for Windows 7), is barely competitive in standards-compliance with even much older version of Firefox and Chrome, let alone their current versions.

Keep in mind that most components of the "standards-compliance" tests that fail in IE are things MS decided intentionally not to include because the standards were not final at the time or seemed to be on their way out. I personally feel it's naïve to think that MS isn't well aware of what standards they aren't "compliant" with, and that they would release a browser that would truly be crippled because of this lack of "compliance" in a particular area.

My Win8 install went smooth. I made a system image of my win7 install just in case something went catastrophically wrong, but so far so good. My first instinct was to make burn the download to disc and run it from there, but I ended up doing the install straight from the desktop.

There is definitely something to be said for the upgrade path. I didn't lose any of my programs or files I had installed in Win7, I kept my bookmarks in all my browsers, and even all of the random junk that was on my SSD, like an old Dwarf Fortress install.

Thus far, it's done everything I've asked it to do, and aside from not recognizing my 360 wireless receiver (which win7 didn't recognize either), i've had no issues. Thus far, 95% of my time has been spent outside of metro, but that's not really a surprise, since there aren't any metro apps to use right now, aside from Skype. I really miss my sidebar gadgets, especially my Pandora gadget, my clock, and my temperature monitors. Oh well, gotta take the bad with the good, sometimes.

I have an old Thinkpad that's dog-slow with Vista, but was actually "snappy" with the Win8 preview.

But it's back to Vista for me.

...I tell you, if they made "Windows 8 Ultimate: Start Button Edition" that let you disable Metro and Charms and hot-corners, I would pay full price for it. ...Full. Price..

I've warmed up to the new UI, but you may want to give Start8 a try. It's a surprisingly elegant implementation of the Start Menu functionality for Windows 8, and you can tailor it to have varying degrees of integration with Metro, or almost none at all. For example, you can disable both hot corners and Charms, among other things.